Chaos, a new type of malware that can attack both Linux and Windows systems is spreading to amass resources for distributed denial of service (DDoS) attacks against online gaming companies. It has also been used against crypto exchanges and sites that offer items for in-game currency. .Once installed, the malware collects information about a targeted system and sends data to an attacker-controlled server. It then looks for public IP addresses of games and it uses them to download configuration files that help organize its DDoS attack. The malware is designed with modular power which allows the attacker to re-configure it in a way that can be customized for different purposes. This means game results are harder to trace if they have been taken offline because of DDoS attacks, rather
The malware targets and operates on different systems, including multiple architectures and is written in – a popular cloud & system programming language. The malware can be found on routers, IoT devices, smartphones & e-commerce platforms. These include x86, x86-64, AMD64, MIPS, MIPS64, ARMv5-ARMv8 and AArch64. PowerPC also falls under this umbrella. BlackLotusLabs.com is the infosec firm which came up with these
Chaos exploits known but unpatched security flaws in firewall devices and then uses them to get inside a network. These include critical remote code execution flaws affecting Huawei’s HG532 wireless routers for homes and small businesses (CVE-2017-17215) and another affecting the Moxa UC1850L series of RS-232 serial interface converters.
One of the key takeaways in this study was that the malware is written in Go, a programming language that doesn’t support reverse code engineering which makes it hard to find out how it works. Over 100 samples have been found which enable Chaos’ operators to find about the environment, send remote commands, hack into machines and launch DDoS attacks.
Security breaches are a big problem — just a few days ago, a DDoS attack used malware to prevent legitimate requests from being processed. This meant that victims included sites focused on gaming, finance, technology, media and entertainment — as well as cryptocurrency exchanges.
“Chaos malware made it a lot easier for attackers to do their work undetected, since it’s common for them to use stealth networks now. That can easily affect both personal and corporate devices.” Lumen believes with a moderate level of confidence that this is the work of a cybercriminal that’s waiting for access to infected devices. They would then launch DDoS and mining attacks.
The company believes this Chaos malware is a new version of the popular Kaiji IoT malware, which was discovered in 2020 by security researcher MalwareMustDie.
Kaiji is noteworthy because it was developed using Go. Most other IoT malware before this point were written in C or C++ – two widely used languages for programming software for ‘bare metal’ and embedded systems
Lumen was only one example of many that we found with cybersecurity issues. Chaos is installed on a host device, then it will communicate with the embedded command and control (C2) server. The host receives a couple of commands to propagate via some kind of vulnerability or SSH private keys.
Based on the first set of commands, the host may receive a numaber of additional execution commands including propagating to the designated CVE and specified target lists, further exploitation of the current target, a specific type of DDoS attack against a specified domain or IP and port, and performing crypto mining” Lumen notes
It’s worth noting that Chaos infections are currently focused in Europe, but we know there are also hotspots in North and South America as well as Asia-Pacific. We haven’t seen any Chaos bots in either Australia or New Zealand. Lumen detected over 100 Chaos nodes in September, up from under 20 in April. There was also a relatively big jump ( 40 to 90) between July and August.
The Chaos Online DDoS attacks were notable for their use of the UDP and TCP/SYN protocols, targeted at a wide range of ports. The DDoS-as-a-Service provider sells CAPTCHA bypass and other types of transport layer DDoas as well.